itil - iam (access management)
TRANSCRIPT
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
ITIL v3 - Access MANAGEMENT (IdM)
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management. DefinitionsITIL v3 defines “Access Management” as:
“the process of granting authorized users the right to use a service, while preventing access to non-authorized users. It has also been referred to as Rights Management or Identity Management in different organizations.”
“the process that enables users to use the services that are documented in the Service Catalogue”
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management. Definitions
• Access refers to the level and extent of a service’s functionality or data that a user is entitled to use.
• Identity refers to the information about them that distinguishes them as an individual and which verifies their status within the organization. By definition, the Identity of a user is unique to that user.
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management. Definitions• Rights (also called privileges) refer to the actual settings whereby a user is provided access to a service or group of services. Typical rights, or levels of access, include read, write, execute, change, delete.
• Services or service groups. Most users do not use only one service, and users performing a similar set of activities will use a similar set of services. Instead of providing access to each service for each user separately, it is more efficient to be able to grant each user – or group of users – access to the whole set of services that they are entitled to use at the same time.
• Directory Services refers to a specific type of tool that is used to manage access and rights
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Departs. RRHH IT- HelpDesk IT - Seguridad
Ciclo de Vida del Empleado / Usuario
Dept
os. I
nvol
ucra
dos
Incorp.Alta Accsesos
CambioRol
CambioDpto. Baja
Access Management. Roles. Workflow
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
• SSO = “Single Sign On”Es un proceso por el cual un usuario se Identifica y Autentifica
una sóla vez para acceder a cualquier aplicación o sistema (“una sola password una sola vez”)
• IAM = “Identity & Access Management” Gestión de Identidades y Accesos: se encarga de gestionar el
Ciclo de Vida de un Empleado en una organización.
Definitions: IAM & SSO
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
IAM: Architecture
REPOSITORIOS
DIRECTORIOS METADIRECTORIOSBASES DATOS
SEGURIDAD
AUTENTICACIÓN AUTORIZACIÓN AUDITORÍA
VALOR
SSOAD.DELEGADA
PWD. SYNC
WEB-SSO
AUTOSERVICIO
COLABORACIÓN
LIBERTY WS*SAML
SERVICE ORIENTED ARCHITECTURESCICLO DE VIDA
PROVISIONINGWORKFLOW
RECONCILIACIÓN
Nivel de Funcionalidad
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Grrrr!
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
The solution
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management Process.Purpose/goal Objective
“Access Management provides the right for users to be able to use a service or group of services. It is therefore the execution of policies and actions defined in Security and Availability Management.”
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management Process Scope
Access Management is effectively the execution of both Availability and Information Security Management, in that it enables the organization to manage the confidentiality, availability and integrity of the organization’s data and intellectual property.
Access Management ensures that users are given the right to use a service, but it does not ensure that this access is available at all agreed times – this is provided by Availability Management.
Access Management is a process that is executed by all Technical and Application Management functions and is usually not a separate function. However, there is likely to be a single control point of coordination, usually in IT Operations Management or on the Service Desk.
Access Management can be initiated by a Service Request through the Service Desk.
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management Process Process activities
• Requesting access• like Request for Change, Service Request, Scripts, Human ….
• Verification • That the user requesting access is who they say they are• That they have a legitimate requirement for that service
• Providing rights : provide that user with rights to use the requested service• Access Management does not decide who has access to which IT services. Rather,
Access Management executes the policies and regulations defined during Service Strategy and Service Design
• Monitoring identity status• Access Management should understand and document the typical User Lifecycle for
each type of user and use it to automate the process• Logging and tracking access : ensuring that the rights that they have provided are being properly used• Removing or restricting rights
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management Process Triggers, input and output/inter-process interfaces
• An RFC. This is most frequently used for large-scale service introductions or upgrades where the rights of a significant number of users need to be updated as part of the project.
• A Service Request. This is usually initiated through the Service Desk, or directly into the Request Fulfilment system, and executed by the relevant Technical or Application Management teams.
• A request from the appropriate Human Resources Management personnel (which should be channelled via the Service Desk). This is usually generated as part of the process for hiring, promoting, relocating and termination or retirement.
• A request from the manager of a department, who could be performing an HR role, or who could have made a decision to start using a service for the first time.
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Applications
User Strong Authentication
PSGINA MSGINA
LEGACYWSS-SAML
Tools Samples : ESSO
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
ApplicationsConnectorsMetaDirectoryWorkflow
Prov.
Auth
Rol
Provisioning(HR, LDAP, BD,…)
Tools Samples : IAM
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Entrega
RRHH PasswordBank
OCSP
CRL
IAM & SSO
Dtos.
AD
MCS - CA
Peticiones
Autorización
Workflow & PKI Integration
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Ejemplo: EPayment + DNIe
iPayName: Juan PerezAddressValidCertificate
Ammount153,03 €
A – HSBC PrivateAccount
B - CityBank Expenses Acc.
C – VISA CreditCard
D –PayPalAccount
PAYEDThanks for your Visit - iPAY
iPay
Table23Ammount:
153,03 €
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Tools Samples : ESSO
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management Process Tools Samples : Identity Delegation
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management Process METRICS
Metrics that can be used to measure the efficiency and effectiveness of Access Management include:
• Number of requests for access (Service Request, RFC, etc.)• Instances of access granted, by service, user, department, etc.• Instances of access granted by department or individual granting
rights• Number of incidents requiring a reset of access rights• Number of incidents caused by incorrect access settings.
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Access Management Process Challenges, Critical Success Factors and risk
Conditions for successful Access Management include (KPI):
• The ability to verify the identity of a user (that the person is who they say they are)• The ability to verify the identity of the approving person or body• The ability to verify that a user qualifies for access to a specific service• The ability to link multiple access rights to an individual user• The ability to determine the status of the user at any time (e.g. to determine whether they are still employees of the organization when they log on to a system)• The ability to manage changes to a user’s access requirements• The ability to restrict access rights to unauthorized users• A database of all users and the rights that they have been granted.
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
¿ Questions?
GSX – ACCESS MANAGEMENT 05-2009 Josep Bardallo
Thank You
MerciGrazie
Gracias
Obrigado
Danke
Japanese
English
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Tamil
Thai
Korean
Hindi Gràcies
Català